Re: LsaRemoveAccountRights

• Previous message: Jiachuan Wang [MSFT]: "Re: Can't get something basic to work (WMI)"
• In reply to: Amit Rahul [MS]: "Re: LsaRemoveAccountRights"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 17 Apr 2004 19:45:52 -0400

On 4/17/04 2:17 AM, in article eFRpZOEJEHA.3500@TK2MSFTNGP10.phx.gbl, "Amit
Rahul [MS]" <arahul@online.microsoft.com> wrote:

> One addendum to the example below, it should be
> lpright = SE_INTERACTIVE_LOGON_NAME to be used with LsaRemoveAccountRights
> rather than SE_DENY_INTERACTIVE_LOGON_NAME. It was a typo. :-(
>

Thanks for your help.

After creating an account, it was those APIs (LsaEnumerateAccountRights etc)
were always returning that the account was not found until I called
LsaCreateAccount with the account SID. This LsaCreateAccount function was
not documented though, but it did the trick. And it was listed in that KB
article in my previous post. So its listed in the sample as the way to do
it (LsaOpenAccount & LsaCreateAccount) but not in the public header file.

I was opening the LsaOpenPolicy handle correctly and getting back a valid
handle. It it didn't seem to be a question of access rights. Just that
somehow the account was not known by the Local Security Authority until I
called LsaCreateAccount.

Further, when I added my account to the list of those to be denied
interactive login with the account management UI, then my code worked, ie.
LsaEnumerateAccountRights started working.

So I'm not sure what is going on exactly, since I got this to work with
undocumented code.

If you would like a small sample that demonstrates this behavior let me
know.

-John

• Previous message: Jiachuan Wang [MSFT]: "Re: Can't get something basic to work (WMI)"
• In reply to: Amit Rahul [MS]: "Re: LsaRemoveAccountRights"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]